ISO collects personal data from people involved in standardization work through its IT tools and services. In the ISO context, "Personal Data" includes a person’s or identifiable person’s names, email addresses, physical addresses, telephone numbers and roles played that are collected and used for ISO's Purpose (defined below). Due to the international structure of ISO, this Personal Data is likely to be used (i.e. in a legal sense “transferred” and “processed”) in and outside the territory of Switzerland by the ISO Central Secretariat (ISO/CS), ISO Members, third parties and other individuals located in nearly all countries in the world. This ISO Member Data Protection Policy ("Policy") applies to Personal Data regardless of the country in which it is collected or used. It does not apply to the Personal Data that an ISO member collects and uses outside of ISO's Purpose.
As an ISO Member, you are responsible for protecting Personal Data in accordance with this Policy even if you give access to this Personal Data to:
- People within your organization (including Member Body User Administrators "MBUA", Committee Managers, IT staff, etc.);
- Third Parties (including sub-organizations, agents, subcontractors, etc.) outside your organisation.
- Others through computer interfaces.
As an ISO Member, you must:
1. ensure that the people whose Personal Data you collect and use*:
- understand that ISO and its members are bound by an ISO Policy protecting the personal data of everyone participating in the ISO system;
- consent to their Personal Data being collected, used, shared and archived for the development of standardization and related activities;
- agree that their Personal Data could be transferred to countries with laws that may not guarantee the same level of data protection as in their country or Switzerland (where ISO/CS is based); and
- know that you and the ISO Data Protection Officer are available to answer any questions about the content and purpose of their Personal Data .
2. ensure that the people you allow to access Personal Data*:
- agree to use the Personal Data they access only for the development of standardization and related activities in the world with a view (i) to facilitating international exchange of goods and services and (ii) to develop cooperation in the spheres of intellectual, scientific, technological and economic activity (ISO's Purpose);
- agree to respect relevant ISO rules and any applicable laws; and
- understand that they remain bound by these obligations even after their participation in the standards development work ends.
If they don't agree to the conditions in clause 1 and 2 above you should not enter their Personal Data into ISO IT tools (or remove it if already entered).
3. collect, use, share and archive (i.e. “process”) Personal Data solely to promote and improve the development of standardization and related activities and services in the world with a view (i) to facilitating international exchange of goods and services and (ii) to developing cooperation in the spheres of intellectual, scientific, technological and economic activity – this means that Personal Data cannot be collected and used for commercial purposes unless the person concerned has also explicitly given permission for this to ISO or the ISO Member;
4. undertake appropriate technical and organizational measures to protect Personal Data prior to processing it, including nominating at least one person for ISO/CS to contact regarding any data protection issues;
5. immediately inform the person to whom the Personal Data relates and ISO/CS if you cannot comply with this Policy;
6. immediately inform and cooperate with ISO in case of any accidental or unauthorised access;
7. ensure that Personal Data is kept up-to-date and deleted, as appropriate, in the ISO Global Directory and any other ISO IT tool in which Members are required to enter Personal Data;
8. fully and quickly cooperate with ISO in fulfilling information requests by people whose Personal Data we hold and ISO undertakes to fully and quickly cooperate with ISO Members that receive information request;
9. if you cease to be an ISO Member, destroy any Personal Data and copies thereof to which this Policy applies and certify its destruction to ISO in writing; and
10. ensure that your employees and any third parties entering or accessing Personal Data on your behalf accept this Policy or equivalent or stricter terms. In all cases, you remain responsible for compliance with this Policy by such third parties.
ISO may change this Policy in consultation with its Members. Members will be informed and the changes will be posted online.
Responsibility for the protection of Personal Data lies with ISO Members, who are also accountable to one another. Any ISO Member with concerns about the practices of another ISO Member should contact that Member and inform the ISO Data Protection Officer.
ISO may require ISO Members to terminate the access of third parties in case of doubt regarding compliance with this Policy. The Secretary-General may also decide to take measures against ISO Members that do not comply with this Policy.
Any data protection and related laws to which ISO Members are normally subject continue to apply. This Policy adds to, and does not replace, such laws. Where national data protection laws offer equal or stricter protection, they can override this Policy. Members are obliged to report other conflicts between this Policy and laws to which they are subject to ISO/CS.
This Policy is governed exclusively by Swiss law with the exclusion of its international private law. The exclusive place of jurisdiction shall be Geneva, Switzerland.
* ISO will assist the Member with this by sending an email advising the person of this when their data is first entered in the ISO Global Directory. If a Member wants to opt-out of this service they should contact firstname.lastname@example.org.